With the advent of data protection laws like GDPR and CCPA, the concept of opt-in and opt-out has gained a lot of significance over the past few years. You cannot collect, share or use people’s data without their consent unless for reasons that have other lawful bases.
We will discuss what opt-in and opt-out mean and when and how to use them for data processing.
What is opt-in and opt-out?
Opt-in
The meaning of opt-in is to give permission or accept something. In other words, it is an affirmative action of giving or asking for user consent.
You must be familiar with websites using checkboxes for users to agree to terms and conditions. It is an example of opt-in. Users can register their consent to the request by ticking the box.
In the opt-in model, you cannot collect or use user data unless the users give their permission.
There are often many requirements associated with opt-in consent. Consent is only valid when it meets the following conditions:
- Freely given: Users were not forced to give their consent using terms and conditions or deceptive design or UI.
- Informed: Users were informed of how their data will be used when they give consent.
- Specific: Consent for different purposes for collecting personal data is not bundled as one but requires users to opt-in for them separately.
- Unambiguous: Users had an explicit way to express their agreement, such as ticking a checkbox or clicking a button.
- Documented: Businesses must keep detailed records of consent to demonstrate compliance with legal requirements.
Laws like GDPR and LGPD follow the opt-in approach for personal data processing.
Opt-out
The meaning of opt-out is to refuse permission or cancel something. In other words, it is an act of refusing or withdrawing consent in response to a particular event or process.
In the opt-out model, it is presumed that users agree to the collection or use of their data. They can stop this by using the opt-out option.
Key characteristics of opt-out consent include:
- Default inclusion unless explicitly declined.
- Requires businesses to provide easy and accessible mechanisms for users to withdraw their consent.
- Relies heavily on user action to reduce the risk of non-compliance.
- Suitable for regions or laws with less stringent consent requirements.
US laws like CPRA and VCDPA follow the opt-out approach.
Opt-in and opt-out examples
Opt-in example
Opt-in is obtained for several purposes, like subscribing to newsletters, agreeing to terms and conditions, permission to save user details, consent to use cookies, etc.
One common example is checkboxes in forms. Companies ask permission from users to share or use the data they enter in the form for purposes like email marketing or advertisements.
Spotify uses an opt-in registration form to ask for users’ consent to share their registration data for marketing and cross-border transfer. Users can express their agreement by ticking the checkbox.
Opt-out example
Not choosing to subscribe to newsletters, unticking a previously ticked checkbox, not consenting to save personal details, rejecting the use of cookies, etc. are some examples of opt-out.
E.g. Companies add an unsubscribe link at the end of their emails to let users opt out of emails. When users click the link, it will remove their emails from the company’s email marketing list.
Cookie opt-in and opt-out
Cookies perhaps occupy the top position in all discussions on opt-in and opt-out, thanks to data protection laws like ePrivacy Directive and GDPR. These laws regulate the use of cookies by making opt-in and opt-out consent models mandatory requirements.
E.g. if your website uses cookies that track the personal data of users, you must get their consent to do so before placing the cookies on their devices. You must also provide them the option to reject cookies or withdraw consent in case they opted in and want to opt out later.
Additionally, you must provide clear and precise information about cookies (including strictly necessary cookies) and their purpose when users visit a website. This will help them make an informed decision about whether to opt in or opt out of the use of cookies.
One of the major decisions around the consent regarding cookies was firmly established after the CJEU-Plant49 judgment.
The judgment stated that the users’ opt-in obtained through pre-ticked checkboxes is no longer valid. Also, you cannot bundle multiple consent requests as one. They should be kept separate. The third point of the judgment said that the users must be aware of all the details about the cookies and what consenting to use them will mean. Knowledge of such information will make the decision easy and clear for them.
Opt-in and opt-out on cookies are generally implemented using cookie consent tools.
CPRA supports the opt-out model where you don’t have to include any option for opt-in. However, a good rule of thumb is that you should use a hybrid model, i.e. provide opt-in and opt-out options.
Here is one example of a cookie consent banner that has both opt-in and opt-out buttons.
- Sign up on CookieYes for free
- Add a cookie banner
- Scan for cookies
Sign up on CookieYes for free using your email address and website URL.
Copy and paste the unique code to your site to add the cookie banner, which has both opt-in and opt-out options by default.
Scan your website for cookies to find out all cookies and their categories set by your website. This will activate auto-blocking of third-party cookies until users opt in.
When and how to implement opt-in?
Let’s look at some cases with examples where you should use opt-in options and how to implement each of them.
#1 When you collect personal data of people in the EU
… and when none of the below legal bases of processing applies:
- Contractual Obligation
- Legal Obligation
- Legitimate Interest
- Vital Interest
- Public Interest
How: For asking for consent, you can choose one of the opt-in methods:
- Paper form
- Opt-in boxes on paper or electronically
- Opt-in buttons or links
- Yes/No options
- Technical settings or preference dashboard settings
- Emails requesting consent
- Oral consent requests
- Volunteering optional information for a specific purpose
#2 When you collect personal data from minors
If you require to collect the personal data of minors, you need parental consent.
How: Parental consent using any of the opt-in methods mentioned above.
#3 When you use third-party cookies.
You need explicit consent from users in such a case. A simple and clear opt-in option must be provided to them.
How: The opt-in option here can be implemented using cookie consent banners.
#4 When you require email addresses for newsletters and marketing purposes
Often, you may require consent to collect and store the email addresses of users to send newsletters or marketing emails.
How: Some of the ways you can implement the opt-in options are:
- Checkboxes at the end of forms
- Website footer
- First email (note that unless they opt-in for the subscription, you cannot send any more emails)
When and how to implement opt-out?
#1 When you use personal data for various purposes (lawful bases)
Users have the right to reject permission to collect or process their data if they deem it right. You are supposed to temporarily terminate the processing of data or delete the data in such cases.
How: A contact point or link to submit consent opt-out requests.
#2 When you collect personal data from California residents
Per the California Privacy Rights Act (CCPA’s amended version), websites must provide California consumers the right to opt out of having their personal data sold or shared with third parties.
How: Add a “Do Not Sell or Share My Personal Information” link on the website, which will take them to settings or pages where they can confirm their choice.
#3 When you use cookies (especially third-party cookies) for analytical and advertising purposes
Users must be able to withdraw or reject the usage of cookies should they deem it right.
How: Cookie banners must have a reject option or link to manage cookies where they can choose what type of cookie they do not want to be stored on their device.
#4 When You send emails to your users
At any point, if the users feel like they no more want to receive any content on their email addresses, they should be able to unsubscribe.
How: Include an easily accessible unsubscribe link in the emails or on the website.
FAQs on opt-in and opt-out
Opt-in means to give consent in various situations, like accepting cookies, subscribing to a newsletter, signing up for services, or agreeing with terms and conditions or a privacy policy.
Opt-out means to deny or withdraw consent, like rejecting cookies, unsubscribing from a newsletter, or denying permission to share your location.
A checkbox in a newsletter subscription form is an example of opt-in. Whereas, adding an unsubscription link in marketing emails is an example of opt-out.
It is hard to say which one is better. However, to analyze opt-in vs opt-out from a privacy standpoint, it is always better to have an opt-in option while collecting the personal data of users. It gives users control over their data and to choose if they want to share it. At the same time, it is important to have an opt-out in case you want to give users the right to withdraw or change their consent.
The GDPR requires businesses to let users opt out of collecting or using their personal data. However, the cornerstone of the regulation is obtaining valid user consent, i.e. opt-in. You cannot use opt-out without having opt-in for GDPR compliance. Even if the users opt in for data collection and processing, they must be able to withdraw consent at any time. Both options must have equal prominence.
Opt-in agreement between users and businesses where the users give their consent to businesses to collect or use their information. This consent must be freely given, informed, specific, and unambiguous.
To opt out of something in terms of data privacy means to reject or deny consent to use your personal information for business processing. It also means opting out of letting businesses process your information or share them with third parties. One can opt out even after opting in and businesses should ensure they can opt out as easily as they opt in.
You should use opt-out when you don’t want to participate in an event or want anyone to collect or use your personal data that may interfere with your right to privacy. For example, you can opt out of cookies on a website that is not only necessary for the services you want to avail, but they also collect your personal data for advertisements.